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Constructing 2m-variable Boolean functions with optimal alge- 
braic immunity based on decomposition of additive group of the finite 
field F 2 2m seems to be a promising approach since Tu and Deng's work. 
In this paper, we consider the same problem in a new way. Based on 
polar decomposition of the multiplicative group of F 2 2m , we propose 
q«^ ' a new construction of Boolean functions with optimal algebraic im- 

CN ■ munity. By a slight modification of it, we obtain a class of balanced 

Boolean functions achieving optimal algebraic immunity, which also 
have optimal algebraic degree and high nonlinearity. Computer inves- 
tigations imply that this class of functions also behave well against 
fast algebraic attacks. 
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1 Introduction 

Boolean functions play an important role in symmetric cryptography, espe- 
cially in the stream ciphers based on linear feedback shift resisters (LFSRs). 
They can be used as building blocks in such key stream generators as filter 
generator and combiner generator. Due to the existence of different kinds of 
known attacks to stream ciphers, Boolean functions that are useable should 
satisfy some main criteria such as balancedness, high algebraic degree, high 
nonlinearity and optimal algebraic immunity. 

The notion of algebraic immunity was introduced in [18J by Meier et al. 
after the great success of algebraic attacks to such well-known stream ciphers 
as Toyocrypt and LILI-128 [7J. In fact, the algebraic immunity of a Boolean 
function / is the smallest possible degree of the nonzero Boolean functions 
that can annihilate / or / + 1. If it is not big enough, the multivariate polyno- 
mial systems derived from the stream ciphers involving / would be efficiently 
solved, and hence the secret key can be recovered. This is just the clever idea 
of the standard algebraic attacks introduced (improved, more definitely) by 
Courtois and Meier [7] . It can be proved that the best possible value of the 
algebraic immunity of n- variable Boolean functions is |~^] [7], thus functions 
attaining this upper bound are often known as algebraic immunity optimal 
functions, or OAI functions for short. 

After OAI Boolean functions were introduced, the natural question of 
constructing them was considered in a series of work (see e.g. [U [H [121 US])- 
But the initial constructions only focused on the criterion of optimal alge- 
braic immunity and did not satisfy other criteria of Boolean functions, so they 
were just of more interest in theory. Besides, though having optimal algebraic 
immunity, these functions did not resist fast algebraic attacks (FAAs) well. 
The technique of fast algebraic attack is improved from the standard alge- 
braic attack, the key point of which is to find low degree multiples of Boolean 
functions used in the ciphers to be attacked such that their products are of 
reasonable degree [6]. No progress in constructing Boolean functions having 
all "good" properties was made until 2008. In their pioneering work, Carlet 
and Feng proposed an infinite class of balanced Boolean functions which had 
optimal algebraic immunity, optimal algebraic degree and high nonlinear- 
ity [5]. Computer experiments implied that the constructed functions also 
behaved well against fast algebraic attacks (in fact, very recently this was 
validated by Liu et al. in theory p3]). 

In fact, Carlet and Feng seem to have suggested a principle of constructing 



Boolean functions achieving optimal algebraic immunity from finite fields, 
that is consecutive powers of primitive elements of certain cyclic groups 
should be involved in the functions' supports, which can promise the utility 
of BCH bound from coding theory in proving the optimal algebraic immunity 
of the constructed functions. Following this principle, Tu and Deng tried a 
new idea and (almost) succeeded. They constructed a class of 2m-variable 
Boolean functions based on the additive decomposition 

F 2 2m = F 2 m X F 2 m (1) 

which optimized most of the criteria [21], but had two drawbacks that the 
optimal algebraic immunity of them could only be proved assuming the cor- 
rectness of a combinatorial conjecture, and the ability of them resisting fast 
algebraic attacks is bad [3]. Afterwards, Tang et al. adopted a similar tech- 
nique, constructing a class of OAI functions which also had other good prop- 
erties and good immunity against fast algebraic attacks [20] (in fact, this was 
stated by Tang et al. based on computer experiments firstly and proved by 
Liu et al. in theory lately [IS])- Very recently, Jin et al. found a general 
construction that could involve Tu and Deng's construction and Tang et al.'s 
construction as special cases [9]. The optimal algebraic immunity of these 
functions was proved based on a general conjecture proposed in [20]. In all 
these constructions of even variable OAI functions, the "certain cyclic group" 
was chosen to be F 2m , the multiplicative group of the finite field F 2 m. 

In addition to the additive decomposition ([I]) of F 2 2m, we also have a 
multiplicative decomposition of F 22m like 

w; 2m = w; m x u, (2) 

where U is a cyclic subgroup of F* 2m of order (2 m + 1). In fact, instead of 
multiplicative decomposition, this decomposition is often known as the polar 
decomposition of F 22ro , which can be used to construct bent and hyper-bent 
functions [19], and vectorial Boolean functions achieving high algebraic im- 
munity [in] . By choosing the "certain cyclic group" in Carlet and Feng's prin- 
ciple to be F 2m , we propose a new construction of 2m- variable OAI Boolean 
functions based on the polar decomposition (J2J in this paper, which can 
be viewed as a multiplicative analog of Tu and Deng's construction. After 
modifying these functions to be balanced ones, we obtain Boolean functions 
satisfying almost all main criteria and potentially behaving well against fast 
algebraic attacks (by potentially we mean that this is only supported by 



computational evidence up to present). A big difference in the "modifying 
to be balanced" process between our construction and the former ones is 
that, something should be subtracted from the supports of the initially con- 
structed functions since they are "fatter" than that of balanced functions in 
our construction, while something should be added to the supports of the 
initially constructed functions since they are "thinner" than that of balanced 
functions in the former constructions. 

The rest of the paper is organized as follows. In Section 2, we give the 
necessary preliminaries concerning Boolean functions. In Section 3, we prove 
a useful combination result, based on which we construct a class of OAI 
Boolean functions in Section 4. In Section 5, these functions are modified 
to be balanced ones which are also OAI functions, and their algebraic de- 
gree, nonlinearity and behavior resisting fast algebraic attacks are studied. 
Concluding remarks are given in Section 6. 

2 Preliminary 

Let F2 be the binary finite field and F2 be the n-dimensional vector space 
over F2. An n- variable Boolean function is a mapping from FJ? to F2. Denote 
by B n the set of all n-variable Boolean functions. The support of a Boolean 
function / is defined as 

supp(/) = {x e ¥ n 2 I f(x) = 1}, 

and the cardinality of it, wt(/), is called the Hamming weight of /. Further- 
more, for another Boolean function g e B n , the distance between / and g is 
defined as d(f,g) = wt(/ + g). When wt(/) = 2 n_1 , we call / a balanced 
function. Abusing notations, we also denote the Hamming weight of a vector 
v e F2, i.e. the number of nonzero positions of v, to be wt(v). Besides, for 
an integer u, we denote by wt n (u) the number of l's in the binary expan- 
sion of the reduction of u modulo (2 n — 1) in the complete residue system 
{0, 1, . . . , 2™ — 2}. Obviously, wt n (— u) = n — wt n (u) when 2 n — 1 \ u. 

There are several ways to describe a Boolean function such as by its 
truth table, algebraic normal form (ANF), univariate representation and so 
on. Each /6l n has a unique ANF of the form 

f(x 1 ,...,x n ) = ^ a i]~\ x i, a/ e F 2 . 

IC{l,2,...,n} iel 



The algebraic degree of /, deg(/), is defined to be max{|/| | aj ^ 0}. It 
should be noted that for n- variable balanced Boolean functions, the maximal 
possible algebraic degree is (n — 1). Boolean functions of degree at most 1 
are called affine functions, and the set of all of them are denoted to be 
A n . In order to resist the fast correlation attacks, Boolean functions used in 
cryptographic systems should have high nonlinearity, where the nonlinearity 
of a Boolean function /, A/}, is defined as the minimum distance between / 
and all affine functions, i.e. 

Aff = min d(/, a). 

a€A n 

Walsh transform is a powerful tool in studying Boolean functions. For 
any AgFj, the Walsh transform of / G B n at A is defined by 



w f {\)= j2(-iy {x)+x - x , 



where "■" represents the Euclidean inner product of vectors. Many criteria of 
/ can be described by its Walsh transform such as balancedness, nonlinearity 
and correlation immunity [2j. For example, we have Wf(0) = when / is 
balanced, and we can equivalently express nonlinearity of / by 

M f = 2"- 1 - max I Wf(X)\. 

As is well known that the finite field F 2 n is isomorphic to F 2 through the 
choice of a basis of ¥ 2 « over F 2 , hence naturally, the Boolean function / can 
be represented by a univariate polynomial over F 2 « of the form 

2 n -l 
i=0 

It can be proved that as a Boolean function, the coefficients of / satisfy 
ji% = ft (subscripts reduced modulo (2 n — 1)) for 1 < i < 2 n — 2 and 
/05 /2»-i ^ ^2- Besides, it is not difficult to deduce that 

deg (/) = max{wt n («) \ f { .± 0, < i < T - 1}. 

Under univariate representation, the Walsh transform of / at A € F 2 n can be 
described as 

Wf (\) = J2 (-l)/M+ tr i( A *), 
xe¥ 2 n 



where tr"(-) is the trace function from ¥ 2 « to F 2 , i.e. tr"(x) = ^^=0 ^ ^ or 
any x G F 2 n. 

When n is even, we can give another formulation of the univariate rep- 
resentation of Boolean functions based on polar decomposition of F^. Let 
n = 2m. Then F^m is a cyclic subgroup of F^. Since (2 m — 1, J^y) = 
(2 m — 1, 2 m + 1) = 1, there exists a cyclic subgroup U of F 2 „ of order 2 m + 1 
such that 

F*„ = F* m x [/. 

This is just the polar decomposition of Fgn. If we assume a to be a primitive 
element of F 2 n, then it is obvious that U = (£) where £ = a 2 " 1-1 . From the 
polar decomposition we know that any x G F 2 „ can be represented as x = yz 
for some y G F 2m and z G U. Then we can represent the Boolean function / 
by 

/o if x = 0; 



' /( "" ! ' f'(x) = f'(y,z)H0^x = yz,ye¥* 2m ,zeU, 

where f'(x) = J2 i=0 fi% 1 is the polynomial representation of the map F^n — > 
F 2 , c i — > /(c) (by Lagrange interpolation). Note that 

2 n -2 2 m -2 2 m 

i=0 j=0 k=0 

where for any < % < 2 n - 2, // = /j fe if and only if I * ~ j£ ™° d ^ m + _ , 

i.e. i = 2 m - 1 ((2 m + l)j + (2 m -l)A;) mod (2 n -l) (by the Chinese remainder 
theorem). Besides, 

f(x) = /o(i 2M + 1) + /'(i)x 2M 

2 n -2 

= /o + /ox 2 "" 1 + a; 2 "" 1 £ fr* 

i=0 

2 n -2 



/o + (/o + /oV" -1 + £ fa* ™d(x 2 "+x), 



i=\ 



hence the algebraic degree of / can be expressed as 

max{wt n (2 m - 1 ((2 m + l)j + (2 m - l)k)) \ f hk ± 0} if f + ft = 0; 



d6g(/) -^ n if/o + ZoVO. 

6 



That is to say, if the algebraic degree of / is smaller than n, we have /o = 
/o = /o,o and 

deg (/) = max{wt n (2 m - 1 ((2 m + l)j + (2 m - l)fc)) | /^ ^ 0} 
= max{wt n ((2 m + l)j + (2 m - l)k) \ f' hk ± 0}. 

To finish this section, we recall the definition of algebraic immunity of 
Boolean functions. 

Definition 2.1. Let f,g£ B n . g is called an annihilator of f if fg = 0. The 
algebraic immunity of f , AI(/), is defined to be the smallest possible degree 
of the nonzero annihilators of f or f + 1, i.e. 

Al(/)= min {deg(#) \fg = or(f + l)g = 0}. 



3 A combination fact 

In this section, we prove a useful combination result about the weight dis- 
tribution of integers, which will be of key importance in proving the optimal 
algebraic immunity of the Boolean functions constructed in the following 
sections. 

Lemma 3.1. Let n = 2m. Then for anyO < j < 2 m — 2, 1 < k < 2 m , we 
have 

wt„((2 m + l)(2 m - 1 - j) + (2 m - l)k) = n- wt„((2 m + l)j + (2 m - l)k). 

Proof. Obviously, 

2 ^[2 m (j-k) + (j + k)] = 2 n (j-k) + 2 m (j + k) 

= 2 m (j + k) + (j-k) mod(2"-l), 



and thus 



wt„(2 m (j - k) + (j + k)) = wt n (2 m [2 m (j - k) + (j + k)}) 

= wtn (2 m (j + k) + (j-k)) 
= wt n ((2 m + l)j + (2 m -l)k). 



Then we get 

wt n {{2 m + l){2 m -l-j) + (2 m -l)k) = wt n {2 n - 1 - (2 m + l)j + (2 m - l)k) 

= n-wt n ((2 m + l)j-(2 m -l)k) 

= n-wt n (2 m (j-k) + (j + k)) 

= n-wt n ((2 m + l)j + (2 m -l)k). 

a 

Proposition 3.2. Let n = 2m. For any < k < 2 m , define 

S k = {j G Z/(2 m - 1)Z I wt„((2 m + l)j + (2 m - l)k) < m}. 

Then \Sk\ < 2 m_1 , < /c < 2 m . Moreover, "—" holds if and only if m is odd 
and k = 0. 

Proof. Consider the case k = firstly. Since 

S = {j e Z/(2 m - 1)Z I wt n ((2 m + l)j) < m} 
= {j G Z/(2 m - 1)Z | wt n (2 m j + j) < m} 

Tfi 

= {j G Z/(2 m - 1)Z | wt m (j) < -}, 
it is easy to get 



\Sn 



z~2i=o (T) if m is odd > 

m -1 

X^jLo (D ^ m i s even 
j 2™- 1 if m is odd; 

which implies that |So| < 2" 1 " 1 when m is even. 

Now we consider the case 1 < k < 2 m . Define the set 

T k = {j G Z/(2 m - 1)Z | wt„((2 m + l) 3 + (2 m - l)k) > m}. 

From Lemma [3. II we have for any < j < 2 m — 2, 

wt„((2 m + l)(2 m - 1 - j) + (2 m - l)k) = n- wt„((2 m + l)j + (2 m - l)fe), 
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thus \Sk\ = \Tk\. On the other hand, since 

wt n ((2 m - l)k) = wt n {2 m {2 m k-k)) 
= wt n (k-2 m k) 
= n-wt n ((2 m -l)k), 

i.e. wt n ((2 m — l)k) — | = m, we know that ^ Sj~ and <jL T k , which implies 

\S k \ + \T k \<2 m -2 
as S k n T fc = 0. Then it follows that |5 fc | < 2 m - y - 1 < 2™- 1 . □ 

4 A class of unbalanced OAI Boolean func- 
tions 

In this section, based on polar decomposition of F^™ and the combination 
results in Section [3j we construct a new class of OAI Boolean functions. 

Construction 4.1. Let n = 2m. Let (3 be a primitive element of ¥2™ and 
U be the cyclic group defined in Section^ Set A = {1, (3, (3 2 , . . . , /3 2 " 1 _1 }. 
Define an n-variable Boolean function f by setting 

supp(/) = A x U. 



Theorem 4.2. Let f be the Boolean function defined in Construction \J^.i . 
Then f has optimal algebraic immunity. 

Proof. From the definition of algebraic immunity, it suffices to prove that 
there is no nonzero annihilator with degree smaller than m of both / and 

/ + !• 

Suppose g 7^ is an annihilator of / with algebraic degree smaller than 

m. Assume 

g'{y, z)H0^x = yz, y 6 F* m , z e U; 



g ifx = 0, 



m 9 om 



2 m -2 2 



where g\y,z) = ^ ^QjjkV* '** > 9j,k e F 2 ™, g G F 2 . Then 

j=0 k=0 

2 m /2 m -2 \ 2 m 

g'{y, z) = J2 ( J2 g i' kyj ) zk = J29k{y)z k = 

fc=0 V j=0 J k=0 



2 m -2 

for all z G U and y G A, where g k (y) = \~l 9j,kV^- F° r an Y fixed y G A, 

since </(yo, -2) nas ( 2 m + 1 ) zeros, we conclude that gk(y) = for any y G A, 
< fc < 2 m . 

On the one hand, from the definition of BCH code [17J, we know that 
for < k < 2 m , (^o,fej 9i,k, 92,k, ■ ■ ■ ■> 92 m -2,k) is a codeword of some BCH code 
over F 2 ™ of length (2 m — 1) with elements in A as zeros. Thus based on the 
BCH bound, the Hamming weight of a nonzero codeword should be greater 
than or equal to (2 m_1 + 1), i.e. 



Wt(<7o,k, gi,k, 92,k, • • • , 92 m ~2,k) > 2 m +1. 

On the other hand, since deg (g) < m, we have g^ = if wt n ((2 m + l)j + 
(2 m — l)k) > m. Form Proposition I3.2[ we know that \S/.\ < 2 m ~ 1 . That is 



w ^(g Qk , g lk , g 2) k, • " , g2 m -2,k) < 2 



m— 1 
j 



which leads to a contradiction. Hence g = 0. 

Next, we consider the function / + 1. Note that 

supp(/ + l)=A'x[/U{0} 

where A' = {/3 2 " 1 , /3 2 " 1 +1 , . . . , /3 2m ~ 2 }. Similar to the proof with respect to 
/, we let g be now a nonzero annihilator of / + 1 with algebraic degree smaller 
than m. We can deduce from the BCH bound that, for any < k < 2 m , 
the vector (go,k, gi,k, g2,k, • • • ,g2 m -2,k) has weight at least 2 m ~ 1 since |A'| = 
2 m ~ 1 — 1. By Proposition 13. 2\ we know that when m is even, the weight of 
( go,ki gi,ki ' ' ' 1 g2 m -2,k ) is smaller than 2 m ~ 1 , thus a contradiction follows and 
g = 0. When m is odd, we have (g 0>k , g 1>k , g 2 , k , ■ • • , 02»»-2,ft) = (0, 0, . . . , 0) for 
1 < fc < 2 m . Since l^l = 2 m ~\ we get wt((^,o^i,o, • • • ,^-2,0)) = 2" 1 " 1 , 
which implies that g>o,o — fi'o — 1- However, this contradicts the fact that 
G supp(/ + 1). We also have g = 0. 

To summarize, we know that / has optimal algebraic immunity. □ 

Remark 4.3. From the proof of Theorem \4-fy it is easy to see that if we 
replace the set A in Construction \4-i\ by {/3 s , /3 S+1 , . . . ,/3 s+2m _1 } for any 



< s < 2 m — 2, we can also obtain Boolean functions with optimal algebraic 
immunity. 



10 



It is direct to find that the weight of the function in Construction 14.11 
is (2 n ~ 1 + 2 m_1 ), which is bigger than that of balanced functions. Thus we 
do not talk about their further properties since they are not of applicable 
interest. 

5 Balanced functions with optimal algebraic 
immunity and other good properties 

In this section, we modify the functions in Construction 14.11 to be balanced 
ones which maintain optimal algebraic immunity by changing some points 
between their supports and zeros. Furthermore, we study in detail properties 
of these balanced functions such as their algebraic degree, nonlinearity and 
immunity against fast algebraic attacks. 

Construction 5.1. Let n = 2m. Let a be a primitive element of F 2 « and 
P = a 2m+1 , f = a 2 ™- 1 . 5etr = {/3,/3 2 ,...,/3 2m_1 - 1 }. Define an n -variable 
Boolean function F by setting 



771 — 1 - 



supp(F) = (rx£/)U({l}x{U,...,r })• 

Theorem 5.2. Let F be the Boolean function defined in Construction 15. 1\ 
Then F is balanced and has optimal algebraic immunity. 

Proof. It is obvious that wt(F) = (2™- 1 - 1) x (2 m + 1) + 2™- 1 + 1 = 2 n_1 , 
so F is balanced. 

The proof of optimal algebraic immunity of F is similar to that of The- 
orem 14.21 Suppose g is a nonzero annihilator of F with algebraic degree 
smaller than m, and assume 

n M - S 9'(V, z)H0^x = yz, ye¥* m , z e U; 
9[X) -\ g ifx = 0, 

2 m_ 2 2 m 

where g'{y, z) = ^ J2g j<k y j z k , g j>k e F 2 n, g e F 2 . Since {/3,/3 2 , ... ,p 2m ~ 1 ~ 1 }x 

j=0 fc=0 

U C supp(/), by the BCH bound and Proposition 13. 2\ we get for k > 
0, (g ,k, 9i,k, ■ ■ ■ , 92m-2,k) = (0,0,..., 0). Then g'(y,z) turns to g'(y,z) = 
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Ej=o 9j,oV j - Besides, as {1} x {1, f , . . . , £ 2m } C supp(/), we have 

2 m -2 

g'(l,z)= ^^ P = 0, 

j=0 

which means that {1, (3, (3 2 , . . . , /3 2 " 1 _1 } are zeros of certain BCH code con- 
taining (go,o,gi,o, ■ ■ ■ ,5'2 m -2,o) as a codeword. Using the BCH bound and 
Proposition 13.21 again, we obtain a contradiction. Thus F has no nonzero 
annihilator with degree smaller than m. With respect to F + 1, the proof 
procedure is almost the same. 

Finally, we conclude that the Boolean function F has optimal algebraic 
immunity. □ 

Remark 5.3. From the proof of Theorem \5.2\ f it is not difficult to see that we 
can also set supp(F) = ({1, /?, . . . , /3 2 " 1 " 1 ' 2 } x C/)U({/3 2m " 1 - 1 } x {1, £,..., £ 2m_1 }) 
to obtain balanced Boolean functions with optimal algebraic immunity. 

5.1 Polynomial representation and algebraic degree 

In the following, we compute the univariate representation of the OAI Boolean 
function F in Construction 15. ll and deduce its algebraic degree. 

By the Chinese remainder theorem, we can write the support of F in the 
form 

supp(F) = {a ^-H^ + iy + (2--m \i<j< 2—i _ 1, o < k < 2 m } 

For simplicity, we distinguish the integer 2 m_1 ((2 m + l)j + (2 m — l)k) 
reduced modulo (2 n — 1) with a pair (j, k) where < j < 2 m — 2, < k < 2 m . 
It is easy to find that 

(j + l,k + l) = 2 m - 1 ((2 m + l)(j + l) + (2 m -l)(A; + l)) 
= 2 m - 1 ((2 m + l)j + (2 m -l)A;) + l 
= (j,k) + l, 

and 

(j,k-2) = 2"- 1 ((2 m + l)j + (2 m -l)(fc-2)) 

12 



= 2 m - 1 ((2 m +l)j + (2 m -l)A;) + (2 m -l) 
= (j,fc) + (2--l). 

Using these properties, we can derive that the support of F is just 

supp(F) = {a^' k) \l<j <2 m - 1 -l, 0<k<2 m }U{a^ k) \0<k<2 m - 1 } 
= {a l{2m ' l)+r | < I < 2 m , 1 < r < 2 m - 1 - 1} 

u{Q;2 ™-i (2 ™_ 1)fe | < ^ < 2 m-ly 

Then the coefficients of the function /' whose support is the first part of 
supp(F) can be decribed explicitly, i.e. for < i < 2 n — 1, 



2 m /(2 m -l)+2 m - 1 -l 

n = E E ' 

1=0 j=Z(2 m -l)+l 



o;- J ) J 



y^ (a-') 1 + i ( 2m - 1 )(l-(a- i ) 2 "'" 1 - 1 ) 
^ 1 -a-* 

1=0 

1 - a - * ^ 

(=0 

if2 m + lfi; 

a -i(l - a-^™- 1 -!)) 

} -H2 m + l i. 



\ — a 

Similarly, the coefficients of /" whose support is the second part of supp(F) 
are that, for < i < 2 n - 1, 

2 m-l 

m — 1 /om 



/: = Z> 



-j\2 m - 1 (2 m -l)fc 
fc=0 



j _ a -i2 m - 1 (2 m -l)(2 m - 1 +l) 



if 2 m + 1 I i; 



1 _ a -i2™- 1 (2™-l) 

1 if 2 m + 1 | i. 

It is obvious that, if we assume F{x) = J2i=o Fi x \ then F, = f- + f" for 
1 < i < 2 n - 2, F = (since F(0) = 0) and F 2 ^-i = (since F is balanced). 
Hence we can give the univariate representation of F . 
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Theorem 5.4. Let F be the n-variable Boolean function defined in Con- 
struction \5.1[ Then the univariate representation of F is 



2™ -2 



i. ' * 



where 



F(x) = J2 F i> 

i _ -i2 m - 1 (2 m -l)(2 m - 1 +l) 



1 + 



■jm — 1 (tym i \ (<ym—\ _ 

1 _ a -i2™-i(2™-l) 
a -i(l - a -«(2'"- 1 -l)) 

1 -a-* 



z/ 2 m + 1 \ z; 
z'/ 2 m + 1 | z. 



Hence the algebraic degree of F is (n — 1), which is optimal for balanced 
Boolean functions. 

5.2 Nonlinearity 

To determine the lower bound of the nonlinearity of the Boolean functions 
in Construction 15. ll we need some necessary backgrounds. 

Definition 5.5 ([11]). Let a e F 2 ™. The binary complete Kloosterman sum 
is defined as 

/C(o) = J2 (-l) tlTil/x+ax) . 

Lemma 5.6 ([ID]). Let a G Fljm and U be the cyclic group defined in Section 
Then 

J2(-l) tT " {az) = 1 - /C(o). 

zGU 

Lemma 5.7 (|20j). Let (3 be a primitive element o/F 2 m. Let 

A^l^,^ 1 ,...,^" 1 ^- 1 } 
where < s < 2 m — 1 is an integer. Then 

In 2 



£ (£(7) " r 

7£A S 



< 



7T 



0.42)2 m + l. 
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Theorem 5.8. Let F be the Boolean function defined in Construction 15. 1\ 
Then 

M F > T~ x - (— m + 0.92)2 m - 1. 

7T 

Proof. We denote the set {l,f, . . . ,£ 2m_1 } by A. Obviously, W F (0) = 
since F is balanced. 

For any a G F^, we assume a = aia 2 where Oi G Fgm, <22 £ U. By Lemma 
15.61 we have 



W F (a) 



-2 £ (- 1 ) 

zesupp(-F) 



tr^ (ax) 



-2 



ED- 1 



.tfj (a\yaiz) 



+E*- 1 



,tr 1 (aio 2 z) 



X)(l - /C( fll y)) - J>1 



itr"(aiz) 



E(-i 



,tr"(aiz) 



^(l-JC(aiy))- £ (-1 

y&V zeU\A' 



,tr"(aiz) 



where A' = {a 2 , a 2 £, . . . , a 2 f 2m_1 }, V = {1, /3, . . . , /3 2 " 1 "- 1 }. 

Since Oi G F^m, it can be represented as a\ = (3 s for some < s < 2 m — 2. 
Then 

£(/C(a l2 /)-l)=£(/C( 7 )-l), 
yer' 7 eA s 

where A s = {(3 S ,(3 S+1 , . . . , (3 s+2m ~ 1 }. By Lemma ISTTl we know that 

In 2 



5>-K(*iy) 

yer' 



< 



-m + 0.42 2 m + 1. 



7T 



Therefore, 



W>(a) | < 2 



In 2 



7T 



m + 0.42 }2 m + 1 + 2 



m—l 



Finally we get 



A/> 



in-l 



- max |W>(a) 
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> 2™- 1 - 



m— 1 



In 2 

71 

In 2 

7T 



m + 0.42 ) 2 m - 2" 1 " 1 - 1 



-m + 0.92 2 m -l 



D 

In fact, the lower bound in Theorem 15.81 is not satisfactory at all since we 
have used the naive estimation 



zeV\A' 



\tr"(aiz) 



<2" 



in the proof. Hence it is not so safe to say that the function F has good 
nonlinearity. Nevertheless, for these n we can compute the exact value of 
nonlinearity, it appears good. 

Denote by Mc-Fi Nt-c-t and Hf the exact values of nonlinearity of 
the Carlet-Feng functions [5], the Tang-Carlet-Tang functions [20] and the 
functions in Construction 15. ll respectively By a Magma program, we investi- 
gate the exact values of nonlinearity for small number of variables under the 
choice of the default primitive element of F 2 ™ in Magma system. The results 
are displayed in Table [TJ By the comparison, we find our functions almost 
play as well as the Carlet-Feng and Tang-Carlet-Tang functions. 

Table 1: Comparison of the exact values of Nonlinearity with some known 
constructions 



n 


Nc-F 


Nt-C-T 


A/> 


2»-i - 21- 1 


4 


4 


4 


4 


6 


6 


24 


22 


22 


28 


8 


112 


108 


108 


120 


10 


478 


476 


474 


496 


12 


1970 


1982 


1976 


2016 


14 


8036 


8028 


8026 


8128 


16 


32530 


32508 


32498 


32540 


18 


130442 


130504 


130484 


130812 


20 


523154 


523144 


523122 


523776 
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To obtain better estimation of the nonlinearity of the functions in Con- 
struction 15-H the key difficulty is to estimate such exponential sums as 



xe {£* j £«+l ) ... 1 £«+2'»-l-l} 



\tr"(cx) 



for any < s < 2 m and c G F^m , where £ is a generator of the cyclic group 
U . Unfortunately, the standard technique of using Gauss sums would not 
work for this kind of incomplete exponential sums over finite fields. Maybe 
more advanced number theoretic tools should be introduced to overcome this 
difficulty. Though we have not found them up to present, we conjecture that 
|*,| = 0(2t). 

5.3 Immunity against fast algebraic attacks 

The property of optimal algebraic immunity is a necessary but not sufficient 
condition for a Boolean function because of the existence of fast algebraic 
attacks. In this subsection, we analyze the ability of the Boolean functions 
in Construction 15 .11 against fast algebraic attacks. 

An n- variable Boolean function / is optimal with respect to fast algebraic 
attacks if for any pair of integers (e, d) such that e + d < n and e < n/2, 
there do not exist a function g ^ of algebraic degree at most e such that 
fg has degree at most d [6]. Armknecht et.al. proposed an efficient algo- 
rithm [1] to determine the existence of g and h with corresponding degrees. 
Based on Algorithm 2 in [1] , we investigate the behavior of the functions in 
Construction 15.11 against fast algebraic attacks for small number of variables 
by a Magma program. 

We choose the default primitive element of F2™ in the Magma system. 
For even n ranging from 4 to 14 and e < f, we can find the pairs (e, d) with 
e + d > n — 1, but the pairs (e, d) such that e + d < n — 2 have never been 
observed. That implies that the functions in Construction 15.11 have good 
immunity to fast algebraic attacks though they are not optimal. 

6 Concluding remarks 

In this paper, based on polar decomposition of multiplicative groups of 
quadratic extensions of finite fields, we construct two classes of algebraic im- 
munity optimal Boolean functions. We find that the second class of Boolean 
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functions possess almost all the necessary properties to be used as filter func- 
tions in stream ciphers. 

In fact, in the proof of Theorem 15 . 2[ no property of the set A = {1, £, . . . , £ 2 " 
has been used except the cardinality of it. Therefore, we can construct bal- 
anced OAI Boolean functions by setting supp(F) = (r x U) U ({1} x A') for 
any subset A' of U satisfying |A'| = 2 m_1 + 1. Then we have more opportuni- 
ties to get balanced OAI Boolean functions with high nonlinearity. However, 
univariate representations and algebraic degrees of functions constructed us- 
ing A' with no special properties would be difficult to describe. 
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